Privacy questions

[erictheise]

For both organization and individual profile data there will likely be a desire for tiered data revelation, that is, as an individual, I may want my email address or phone number withheld from random site users but available to other individuals with accounts. As an organization I may have similar concerns. This affects both rendered pages and data coming through the API.

It will be impossible to flag each field so I would suggest maybe we focus privacy options on what unaccounted users can see and limit the options to two flavors: one modest with respect to contact info, one that shows everything . I think anything entered should be accessible by users with accounts.

We'll also need explanatory text about the choice, and translations.

[erictheise]

Related to issues #6 and #7.

[jhung]

Is registration on the directory open to anyone? If that's the case, then having an "internal" and "public" tiers of profile information may have limited use since anyone could register and get access to that information.

Another way to do this is to have two tiers: "Public", and "Authorized" (aka. "Friends"), where someone has to request and receive authorization to see protected info.

[dayotte]

@jhung @erictheise I'm not sure how account sign up and profile creation will be managed/controlled, it brings up a good question. I had been assuming that any information entered into the directory is available publicly. If there is information an org or individual doesn't want to share publicly I'm not clear on why they would include it in the directory. For something like location, street address does not need to be required (especially for individuals) but e.g. city and country could be.

[greatislander]

For clarity, I will be making the following changes:

• Add text indicating to users that any profile information they submit will be displayed on their profile
• Add an optional Contact email field so that users can enter an email for display that is separate from their account email

Also, @erictheise, I was discussing with @dayotte and @cherylhjli about the desirability of storing and displaying individual's full addresses. We don't display them publicly, but rather we just use them to populate the geo data for the individual.

We're not sure there's a clear case for storing precise address data for individuals, and we were wondering if it might make sense to remove the address field for them and geolocate based on the city/town. That would still pinpoint a precise location but it would not be their actual home address. I would value your input on this; I'll address the two items above in a separate PR while I wait for your reply.

[erictheise]

@greatislander, if you geolocate based on city/town everyone in that city/town will have the exact same coordinates and although the number of entities associated with the point/cluster would keep increasing, zooming in would never break up the cluster into individual entries. This behavior is already prevalent for Organizations imported from the ioo.coop/directory data, much (all? but I might have backfilled some back in Jan/Feb?) of which initially collected no street information, only city/town.

My personal experience in mapping myself on public websites is to witness that I've been geolocated to my own or a neighbor's building footprint and then to manipulate the map so that my location is displayed at a nearby intersection.

One practice that's used in epidemiology and possibly law enforcement is to add some randomness to coordinates to obfuscate a true location. For print maps or digital maps that halt zooming at the level of a neighborhood, district, or full city, this is reasonable but in other cases it is problematic as it suggests a ground truth that is false by design.

[greatislander]

Moving mapping questions to #141.